India Proposes Digital Data Rules with Tough Penalties and Cybersecurity Requirements

Jan 06, 2025Ravie LakshmananRegulatory Compliance / Data Privacy

The Indian government has published a draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation.

“Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent,” India’s Press Information Bureau (PIB) said in a statement released Sunday.

“Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.”

The rules, which seek to operationalize the Digital Personal Data Protection Act, 2023, also give citizens greater control over their data, providing them with options for giving informed consent to processing their information, as well as the right to erase with digital platforms and address grievances.

Companies operating in India are further required to implement security measures, such as encryption, access control, and data backups, to safeguard personal data, and ensure its confidentiality, integrity, and availability.

Some of the other notable provisions of the DPDP Act that data fiduciaries are expected to comply are listed below –

• Implement mechanisms for detecting and addressing breaches and maintenance of logs
• In the event of a data breach, provide detailed information about the sequence of events that led to the incident, actions taken to mitigate the threat, and the identity of the individual(s), if known, within 72 hours (or more, if permitted) to the Data Protection Board (DPB)
• Delete personal data no longer needed after a three-year period and notify individuals 48 hours before erasing such information
• Clearly display on their websites/apps the contact details of a designated Data Protection Officer (DPO) who is responsible for addressing any questions regarding users’ processing of personal data
• Obtain verifiable consent from parents or legal guardians prior to processing the personal data of children under 18 or persons with disabilities (exemptions include healthcare professionals, educational institutions, and childcare providers, but only restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking)
• Conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year, and report the results to DPB (limited to only data fiduciaries deemed “significant”)
• Adhere to requirements the federal government sets when it comes to cross-border data transfers (the exact categories of personal data that must remain within India’s borders will be determined by a specialized committee)

The draft rules have also proposed certain safeguards for citizens when their data is being processed by federal and state government agencies, requiring that such processing happen in a manner that’s lawful, transparent, and “in line with legal and

policy standards.”

Organizations that misuse or fail to safeguard individuals’ digital data or notify the DPB of a security breach can face monetary penalties of up to ₹250 crore (nearly $30 million).

The Ministry of Electronics and Information Technology (MeitY) is soliciting feedback from the public on the draft regulations until February 18, 2025. It also said the submissions will not be disclosed to any party.

The DPDP Act was formally passed in August 2023 after being reworked several times since 2018. The data protection regulation came forth in the wake of a 2017 ruling from India’s top court which reaffirmed the right to privacy as a fundamental right under the Constitution of India.

The development comes over a month after the Department of Telecommunications issued the Telecommunications (Telecom Cyber Security) Rules, 2024, under the Telecommunications Act, 2023, to secure communication networks and impose stringent data breach disclosure guidelines.

According to the new rules, a telecom entity must report any security incident affecting its network or services to the federal government within six hours of becoming aware of it, with the affected company also sharing additional relevant information within 24 hours.

In addition, telecommunication companies are required to appoint a Chief Telecommunication Security Officer (CTSO) who must be an Indian citizen and a resident of India, and share traffic data – excluding message content – with the federal government in a specified format for “protecting and ensuring telecom cybersecurity.”

However, the Internet Freedom Foundation (IFF) said the “overbroad phrasing” and the removal of the definition of “traffic data” from the draft could open the door for misuse.